This document discusses using symmetric encryption for applications beyond simple transmission of encrypted messages. It covers generating cryptographically secure random keys, using block cipher modes like CBC and CTR to encrypt files, and securely storing encryption keys and initialization vectors. Generating true randomness is impossible, so physical sources must be amplified with cryptographic pseudorandom number generators. Commonly used block cipher modes like ECB leak information, while CBC and CTR avoid this if properly implemented with random or changing nonces/IVs. Storing keys securely, such as encrypting them with a password-derived key, is also important for practical encrypted storage systems.

1. Stephen Kleene

2. Engineering
Cryptographic
Applications
Day 2:
Using
(and
Misusing)
Symmetric
Ciphers
David Evans
University of Virginia
www.cs.virginia.edu/evans
Microstrategy Course
11 October 2013

3. Recap: Symmetric Encryption
Ciphertext
Plaintext
AES
AES
Plaintext
Insecure Channel
Key
Key
Correctness property: for all possible messages m, D(E(m)) = m
Security property: given c  E(m), it is “hard” to learn anything
interesting about m.
“hard” = if correctly implemented and used, even the NSA can’t do
it unless they have made dozens of theoretical breakthroughs or
have energy comparable to Trillions of massive nuclear explosions
evans@virginia.edu
Engineering Crypto Applications
2

4. Today: Using Symmetric Encryption
Ciphertext
Plaintext
AES
AES
Plaintext
Insecure Channel
Key
evans@virginia.edu
Key
Engineering Crypto Applications
3

5. Today: Using Symmetric Encryption
Ciphertext
Plaintext
AES
AES
Plaintext
Insecure Channel
Key
Key
1. How to generate a good (unpredictable) key:
randomness
2. How to use symmetric encryption to do more
interesting things than just send one block:
building an encrypted file server
evans@virginia.edu
Engineering Crypto Applications
4

6. Generating Randomness
evans@virginia.edu
Engineering Crypto Applications
5

7. 0101100001111 0101101001101
0110000111011 0110000111011
1010000000011 1010100010011
1011000000011 1011000100011
1011011001011 1011011001011
1110011011110 0110011011010
0100000111000 0100100111001
Which is random?
0001110111000 0001110111001
0000111010100 0000111010100
1000101000001 1000101010001
evans@virginia.edu
Engineering Crypto Applications
6

8. 0101100001111 0101101001101
0110000111011 0110000111011
1010000000011 1010100010011
1011000000011 C1 with sequences of 5 or more
1011000100011
C1 from Puzzle Challenge
repeated symbols modified
(message Crypto.Random)
1011011001011 1011011001011
1110011011110 0110011011010
0100000111000 0100100111001
0001110111000 random?
Which is 0001110111001
0000111010100 0000111010100
1000101000001 1000101010001
evans@virginia.edu
Engineering Crypto Applications
7

9. Which is random?
Source of images: http://boallen.com/random-numbers.html
evans@virginia.edu
Engineering Crypto Applications
8

10. Which is random?
random.org
PHP rand()
(atmospheric noise)
(on Windows)
Which should you use to generate cyrptographic keys?
Source of images: http://boallen.com/random-numbers.html
evans@virginia.edu
Engineering Crypto Applications
9

11. Defining Non-Randomness
If you can find
any predictable
patterns in the
sequence, it is
definitely not
random.
evans@virginia.edu
I shall not today attempt further
to define the kinds of material I
understand to be embraced
within that shorthand
description; and perhaps I could
never succeed in intelligibly doing
so. But I know it when I see it,
and the motion picture involved
in this case is not that.
Supreme Court Justice Potter
Stewart (or pornography)
Engineering Crypto Applications
10

12. Defining
Randomness
й
ров
Andrey Kolmogorov
(1903-1987)
For a sequence s, its
Kolmogorov Complexity
K(s) = the length of the
shortest description of s
A sequence s is random,
if K(s) = |s| + C
(This is a somewhat informal version. A real
definition would need to be more careful about
stating this asymptotically.)
evans@virginia.edu
Engineering Crypto Applications
“He was to probability
theory what Euclid was to
geometry.” (Peter Lax)
11

13. Kolmogorov Complexities
s = 000000000000000…
evans@virginia.edu
Engineering Crypto Applications
12

14. Kolmogorov Complexities
s = 000000000000000…
description = “N repeated 0s”
K(s) = log |s| + C1 < |s| + C
t = 010011000111000011110000011111…
evans@virginia.edu
Engineering Crypto Applications
13

15. Kolmogorov Complexities
s = 000000000000000…
description = “N repeated 0s”
K(s) = log |s| + C1 < |s| + C
t = 010011000111000011110000011111…
description =
“t = “”; int
for (i = 1;
for (j =
for (j =
i, j;
i < N; i++) {
0; j < i; j++) t += „0‟;
0; j < i; j++) t += „1‟; }”
K(s) = log |s| + C1 < |s| + C
evans@virginia.edu
Engineering Crypto Applications
14

16. Kolmogorov Complexities
r=010110000111101100001110111010000000011101
100000001110110110010111110011011110010000011
100000011101110000000111010100100010100000101
000010011101110111111110011000101…
"from Crypto.Random import random
def random_sequence(n):
return map(lambda x: random.choice([0, 1]), range(n)) "
and
state of random module (and any entropy added during
generation)
Hmmm…maybe answer from earlier slide was wrong!
evans@virginia.edu
Engineering Crypto Applications
15

17. If your mind isn’t blown yet…
What is the smallest natural
number that cannot be
described in eleven words?
evans@virginia.edu
Engineering Crypto Applications
16

18. If your mind isn’t blown yet…
What is the smallest natural
number that cannot be
described in eleven words?
1
2
3
4
5
The smallest natural number that
6
7
8
9
10
11
cannot be described in eleven words.
evans@virginia.edu
Engineering Crypto Applications
17

19. Randomness is Essential
• Kolmogorov provides a definition of randomness
but not a “useful” one: computing K(s) for an
arbitrary s is undecidable (not just hard,
theoretically impossible)
• Impossible for a program to generate true
randomness: program can generate longer
sequence than itself
• There are physical sources of randomness (or
near randomness): quantum events, radioactive
decay, thermal noise, lava lamps, key presses
evans@virginia.edu
Engineering Crypto Applications
18

20. Amplifying Physical Randomness
Pseudo-Random Number Generator
k = f(physical randomness)
0
AES
1
k
AES
2
3
k
k
output
AES
output
output
Every once in a while, compute a new k using new physical randomness.
evans@virginia.edu
Engineering Crypto Applications
19

21. NIST SP 800-90: Recommendation for
Random Number Generation Using
Deterministic Random Bit Generators (2006)
evans@virginia.edu
Engineering Crypto Applications
20

22. Dual-EC PRNG
s0  physical randomness
si +1= φ(si P)
Update Internal State
evans@virginia.edu
P and Q are
points on an
elliptic curve
ri = φ(si Q)
si
16 least
significant bits of
ri’s x-coordinate
Generate Output Bits
Engineering Crypto Applications
21

23. Elliptic Curves
y2 = x3 – 7 (mod p)
Discrete values: x and y are integers!
Addition: P + Q
= intersection of curve with line
through P and Q
Multiplication: repeated addition
kP = P + P + … + P
Elliptic Curves are primarily used in asymmetric
crypto – but also in Dual EC PRNG
evans@virginia.edu
Engineering Crypto Applications
22

24. Elliptic Curves
P+Q
y2 = x3 – 7 (mod p)
Discrete values: x and y are integers!
Addition: P + Q
= negate intersection of curve
with line through P and Q
Multiplication: repeated addition
kP = P + P + … + P
evans@virginia.edu
Engineering Crypto Applications
P
Q
23

25. Elliptic Curves
Elliptic curve discrete
logarithm problem:
given points P and Q
on an elliptic curve, it is
hard to find an integer
k such that Q = kP.
y2 = x3 – 7 (mod p)
P + Q = point on curve where line PQ intersects
kP = P + P + … + P (multiplication is just repeated addition)
evans@virginia.edu
Engineering Crypto Applications
24

26. Curve Used by Dual-EC PRNG
NIST P-256
y2 = x3 + ax + b (mod p)
256 − 2224 + 2192 + 296 − 1
p=2
a=p−3=
b=
115792089210356248762697446949407573530086143415290314195533631308867097853948
41058363725152142129326129780047268409114441015993725554835256314039467401291
Elliptic curve operations are expensive! Dual-EC PRNG is 1000x
slower than strong PRNG’s built using symmetric ciphers.
evans@virginia.edu
Engineering Crypto Applications
25

27. Why would anyone use
Elliptic Curves as basis for PRNG?
• Easier to plant a back-door in it than designs
based on symmetric ciphers
• Can be used to provide provable security
properties based on number theory
– But not done for Dual EC PRNG
evans@virginia.edu
Engineering Crypto Applications
26

28. Dual-EC PRNG
Proposed as NIST standard (2005)
s0  randomness
P and Q are (random?)
points on P-256.
si +1= φ(si P)
Update Internal State
evans@virginia.edu
ri = φ(si Q)
si
16 least
significant bits of
ri’s x-coordinate
Generate Output Bits
Engineering Crypto Applications
27

29. Image credit: Matthew Green
OpenSSL-FIPS Implementation (using NIST P and Q values)
evans@virginia.edu
Engineering Crypto Applications
28

30. “Rump session” talk at CRYPTO 2007:
You can choose Q such that:
Q = dP
then, it is easy to find e such that: P = eQ
and then easy to learn state of PRNG from
just one output!
evans@virginia.edu
Engineering Crypto Applications
29

31. Shumow and Ferguson’s conclusion:
evans@virginia.edu
Engineering Crypto Applications
30

32. Snowden Leak (5 September 2013)
2013 Intelligence Budget Request ($250M)
2013 Intelligence Budget Request
evans@virginia.edu
Engineering Crypto Applications
31

33. September 2013
evans@virginia.edu
Engineering Crypto Applications
32

34. evans@virginia.edu
Engineering Crypto Applications
33

35. evans@virginia.edu
Engineering Crypto Applications
34

36. Randomness Summary
• All cryptosystems depend on randomness
• No way to test is a value is really random
• Physical randomness is limited: need
algorithms to amplify physical randomness
• If you pseudorandom numbers are
predictable, all is (almost always) lost
evans@virginia.edu
Engineering Crypto Applications
35

37. Building an
Encrypted File
System
evans@virginia.edu
Engineering Crypto Applications
36

38. Scenario
• Documents about plan to
overthrow government stored
on (easily-stolen) device
• Password/biometric-protected
(assume that works, for now)
Data should not be readable to someone
who steals the device and can physically
extract its non-volatile (flash) storage
evans@virginia.edu
Engineering Crypto Applications
37

39. Electronic Codebook Mode
block 2
AES
block 3
block 4
AES
block 4
block n-1
AES
block n-1
block n
AES
block n
…
AES
…
block 1
block 3
divide
into
128-bit
blocks
AES
block 2
declaration.txt
block 1
k
Encrypt each block with k
evans@virginia.edu
Engineering Crypto Applications
38

40. Electronic Codebook Mode
block 2
AES
block 3
block 4
AES
block 4
block n-1
AES
block n-1
block n
AES
block n
…
AES
…
block 1
block 3
divide
into
128-bit
blocks
AES
block 2
declaration.txt
block 1
k
If two blocks have the same plaintext, with ECB they have the same ciphertext!
evans@virginia.edu
Engineering Crypto Applications
39

41. Block Size
128 bits = 16 bytes
"Benjamin Frankli" (16 characters)
Almanack
Mail
pennsylvannians.txt
declaration.txt
evans@virginia.edu
Engineering Crypto Applications
40

42. Time-Space Tradeoffs
No-memory brute force attack:
known
crib
AES
known
ciphertext
Try all keys until you
find one that fits
evans@virginia.edu
Engineering Crypto Applications
Memory: 0
Time: 2127
encryptions
(1T nuclear
mega-bombs)
41

43. Time-Space Tradeoffs
No-time (not) brute force attack:
key
AESkey(crib)
000…000
000…001
7ebc5137da5ff2
…
Pre-compute table:
4d7b9328a582c
…
Break intercepted
ciphertext message:
one table lookup!
evans@virginia.edu
sort by ciphertext
Time: 1
Memory:
2132 bytes
~$2 Decillion (1033)
Engineering Crypto Applications
42

44. Won’t quite work like this for AES, but with some more tricks.
Combination: Rainbow Tables
Precompute:
known
crib
AES
Only store these:
ciphertext
1
AES
…
AES
ciphertext
264
…
…
known
crib
AES
ciphertext
1
AES
…
AES
ciphertext
264
Time:
264
Memory: 268 bytes (~$137 Trillion)
evans@virginia.edu
Engineering Crypto Applications
43

45. 16 October 2013
University of Virginia cs4414
44

46. NSA
Meltdown?
“Experts estimate the
new center in Utah can
store data by the
exabyte or zettabyte.”
(Actual amount is
highly classified.)
45

47. Cipher Block Chaining Mode (CBC)
block 2
block 3
block 4
Initialization
Vector
block 1
AES
AES
AES
evans@virginia.edu
AES
block 1
k
block 2
block 3
block 4
Engineering Crypto Applications
46

48. Cipher Block Chaining Mode
block 2
block 3
block 4
Initialization
Vector
block 1
AES
AES
AES
AES
block 1
k
block 2
block 3
block 4
 Avoids leaking repeated plaintexts
− Cannot encrypt in parallel
evans@virginia.edu
Engineering Crypto Applications
47

49. Counter Mode (CTR)
Nonce
00000000
Nonce
00000001
…
Counter
block 1
k
block 2
block 1
evans@virginia.edu
AES
AES
k
Increase
counter for
each block
block 2
Engineering Crypto Applications
48

50. Counter Mode (CTR)
Nonce
00000000
Nonce
00000001
…
Counter
AES
AES
k
k
block 1
Increase
counter for
each block
block 2
 Avoids leaking repeated plaintexts
 Can encrypt and decrypt in parallel
⁇ Systematic input
block 1
evans@virginia.edu
block 2
Engineering Crypto Applications
49

51. How should
our young
subversive
store master
key k and
(per-file)
nonces?
evans@virginia.edu
Engineering Crypto Applications
50

52. Storing the Key (?)
AES
k
Human-Remembered
4-Digit PIN
evans@virginia.edu
Engineering Crypto Applications
stored
encrypted
k
0704
51

53. Maybe this
could work with
a tamper-proof
device?
evans@virginia.edu
Engineering Crypto Applications
52

54. R2B2: $200 robot that
can try all 10000 fourdigit PINs in < 20 hours
evans@virginia.edu
Engineering Crypto Applications
53

55. Higher Entropy Passwords
AES
k
Human-Remembered
Long Password
evans@virginia.edu
stored
encrypted
k
(44 bits of entropy)
Engineering Crypto Applications
54

56. Scaling Work
repeat 1000 times
k
Human-Remembered
Long Password
evans@virginia.edu
stored
1000x
encrypted k
AES
(44 bits of entropy)
Engineering Crypto Applications
55

57. repeat 1000 times
k
AES
stored
1000x
encrypted
k
Scaling Work
(44 bits of entropy)
Time for one AES:
10 ms
Time for 244 AESs:
5000 years
(or 2 days with 1Mx computing power)
Time for 1000x AES:
10 s
Time for 244 1000x AES: 5M years
evans@virginia.edu
Engineering Crypto Applications
56

58. Scaling to a Web Service
evans@virginia.edu
Engineering Crypto Applications
57

59. http://epetitions.direct.gov.uk/
evans@virginia.edu
Engineering Crypto Applications
58

60. http://petitions.whitehouse.gov
evans@virginia.edu
Engineering Crypto Applications
59

61. Early Password Schemes
UserID
benf
Password
flyakite
samadams beer
tj
Monti07cello04
…
Login: tj
Password: wahoo
Failed login.
Guess again.
…
authentication check:
guess == users[userID].password
evans@virginia.edu
Engineering Crypto Applications
60

62. Early Password Schemes
UserID
Password
benf
samadams
tj
…
FAIL Login: tj
Password: wahoo
beer
someone who gets
Failed login.
Guess again.
Monti07cello04
password file learns
…
all passwords
flyakite
authentication check:
guess == users[userID].password
evans@virginia.edu
Engineering Crypto Applications
61

63. Encrypted Passwords Scheme
UserID
benf
Password
AESK(flyakite)
samadams AESK(beer)
tj
AESK(Monti07cello04)
…
Master key K
Store passwords
encrypted using K
…
authentication check:
AESK(guess) == users[userID].password
evans@virginia.edu
Engineering Crypto Applications
62

64. Encrypted Passwords Scheme
UserID
benf
Password
FAIL Master key K
AES (beer)
Store passwords
someone who gets
encrypted using K
AES (Monti07cello04)
password file and K
…
learns all passwords
AESK(flyakite)
samadams
tj
K
K
…
authentication check:
AESK(guess) == users[userID].password
evans@virginia.edu
Engineering Crypto Applications
63

65. Hashed Passwords Scheme
UserID
benf
Password
AESflyakite(0)
samadams AESbeer(0)
tj
AESMonti07cello04(0)
…
Store passwords
by using them as
key to encrypt 0
…
authentication check:
AESguess(0) == users[userID].password
evans@virginia.edu
Engineering Crypto Applications
64

66. Hashed Passwords Scheme
UserID
benf
Password
AESflyakite(K)
FAIL
samadams AESbeer(K)
tj
AESMonti07cello04(K)
…
…
Master key K
Store passwords
by using them to
encrypt K
authentication check:
AESguess(K) == users[userID].password
evans@virginia.edu
Engineering Crypto Applications
65

67. “If they had consulted
with anyone that knows
anything about password
security, this would not
have happened,” said Paul
Kocher, president of
Cryptography Research, a
San Francisco computer
security firm.
evans@virginia.edu
Engineering Crypto Applications
66

68. 86% of users are dumb
Single ASCII character
Two characters
0.5%
2%
Three characters
14%
Four alphabetic letters
14%
Five same-case letters
21%
Six lowercase letters
18%
Words in dictionaries or names
15%
Other (possibly good passwords)
14%
(Morris/Thompson 79)
evans@virginia.edu
Engineering Crypto Applications
67

69. Dictionary Attacks
Seed list
All 1-4 letter words
List of common (dog) names
Words from dictionary
(4M words, 20+
languages)
Phone numbers, dates, etc.
Rules for generating passwords
http://www.openwall.com/john/
Combining words from seed list
Inserting numbers, symbols
Anything written in any popular
Replacing “l” with “1”,
password advice document!
“ate” with “8”, etc.
evans@virginia.edu
Engineering Crypto Applications
68

70. Aside: My 3-Word Password Advice
Unimportant Passwords: use “silly”
(protect service, not user)
Important Passwords:
Write them down
(but somewhat obfuscated and in a secure place)
If you can memorize it, it is not secure!
(unless you have a well-trained memory)
evans@virginia.edu
Engineering Crypto Applications
69

71. Making Dictionary Attacks Harder
UserID
benf
Password
AESflyakite(0)
Password
AESflyakite1000(0)
samadams AESbeer(0)
AESbeer1000 (0)
tj
AESMonti07cello04(0)
AESMonti07cello041000(0)
…
…
…
1. Use a more expensive cryptographic hash function
evans@virginia.edu
Engineering Crypto Applications
70

72. Making Dictionary Attacks Harder
UserID
Salt (16 bits)
Password
benf
52455
AESflyakite1000(52455)
samadams
50757
AESbeer1000 (50757)
AESMonti07cello041000(47101
AES x 1000 makes dictionary attack 1000 times harder
)
16-bit salt makes dictionary attack 216 times harder
(but doesn’t make targeted against one user harder)
…
…
tj
47101
2. Add “salt” – randomly selected
(but non-secret) value for each user
evans@virginia.edu
Engineering Crypto Applications
71

73. Two Big Problems Remaining:
1. Users are still morons
evans@virginia.edu
Engineering Crypto Applications
72

74. Two Big Problems Remaining:
1. Users are still morons
(Solving Auditors calledscope of employees and
this is outside 100 IRS this class.)
managers, portraying themselves as
personnel from the information technology
help desk trying to correct a network
problem. They asked the employees to
provide their network logon name and
temporarily change their password to one
they suggested. “We were able to convince
35 managers and employees to provide us
their username and change their password,”
the report said.
GAO Audit of IRS (2005)
evans@virginia.edu
Engineering Crypto Applications
73

75. Two Big Problems Remaining:
2. Transmitting password
Insecure Channel
petitions.gov
How does TJ know he’s really talking to petitions.gov?
How can he establish a secure channel to transmit password?
evans@virginia.edu
Engineering Crypto Applications
74

76. Plan for Next Week
Solving these problems using
asymmetric cryptography:
- Public key cryptosystems
- Digital signatures
- Public key protocols (TLS)
open to
requests!
evans@virginia.edu
MightBeEvil.com/crypto
evans@virginia.edu
Engineering Crypto Applications
75

77. evans@virginia.edu
Engineering Crypto Applications
76